From dab61500186e3b0c56962909e08f0407625d111d Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Thu, 7 Dec 2023 18:13:26 +0100 Subject: [PATCH 1/5] refactor luks_reencrypt and make secrets disappear from screen Signed-off-by: Christian Foerster --- initrd/etc/luks-functions | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index e962be01a..be7ceef20 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -349,14 +349,13 @@ luks_reencrypt() { --msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under\nthe following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete the TPM Disk Unlock Key slot, if set up, by setting a default\n boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80 echo -e "\nEnter the current Disk Recovery Key passphrase:" read -r luks_current_Disk_Recovery_Key_passphrase - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!" - cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase - else - echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase - warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!" - cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase fi + echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase + #make secrets disappear from screen as reencryption can take a long time (we show these to the user again later in whiptail anyway) + printf "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n" + warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!" + cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase + #Validate past cryptsetup-reencrypt attempts if [ $(echo $?) -ne 0 ]; then whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ From ee6f299d9c4bdee5e24186ede2542ceadc4ace91 Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Thu, 7 Dec 2023 18:15:26 +0100 Subject: [PATCH 2/5] prompt for updating checksums after LUKS header change Signed-off-by: Christian Foerster --- initrd/bin/gui-init | 2 ++ 1 file changed, 2 insertions(+) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index ac75de7bd..e4c06aab4 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -465,10 +465,12 @@ show_options_menu() C ) luks_reencrypt luks_secrets_cleanup + prompt_update_checksums ;; P ) luks_change_passphrase luks_secrets_cleanup + prompt_update_checksums ;; R ) root-hashes-gui.sh From 73152c79737f0c678bc65b8d51d3db7d2bdf29ae Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Sun, 17 Dec 2023 13:41:43 +0100 Subject: [PATCH 3/5] Use clear instead of printf Signed-off-by: Christian Foerster --- initrd/etc/luks-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index be7ceef20..ba445c477 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -352,7 +352,7 @@ luks_reencrypt() { fi echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase #make secrets disappear from screen as reencryption can take a long time (we show these to the user again later in whiptail anyway) - printf "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n" + clear warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!" cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase From 310fc6a109aa600af7a03af56068b92c5541c939 Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Sun, 17 Dec 2023 17:45:28 +0100 Subject: [PATCH 4/5] Revert "prompt for updating checksums after LUKS header change" This reverts commit ee6f299d9c4bdee5e24186ede2542ceadc4ace91. Will communicate to the user the need to update checksums instead. Signed-off-by: Christian Foerster --- initrd/bin/gui-init | 2 -- 1 file changed, 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index e4c06aab4..ac75de7bd 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -465,12 +465,10 @@ show_options_menu() C ) luks_reencrypt luks_secrets_cleanup - prompt_update_checksums ;; P ) luks_change_passphrase luks_secrets_cleanup - prompt_update_checksums ;; R ) root-hashes-gui.sh From 7bc763e0b922348c110342857d861f0f89ab3d0f Mon Sep 17 00:00:00 2001 From: Christian Foerster Date: Sun, 17 Dec 2023 18:23:56 +0100 Subject: [PATCH 5/5] Notify user of result and next steps Signed-off-by: Christian Foerster --- initrd/bin/gui-init | 2 ++ 1 file changed, 2 insertions(+) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index ac75de7bd..a161fc0f5 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -464,10 +464,12 @@ show_options_menu() ;; C ) luks_reencrypt + [[ -n "$luks_current_Disk_Recovery_Key_passphrase" ]] && whiptail --title 'Reencryption successful!' --msgbox "Your LUKS volume was successfully reencrypted!\n\nNote that before booting the next time you should update your checksums.\nIf you are using a TPM Disk Unlock Key you also need to reseal that key." 0 80 luks_secrets_cleanup ;; P ) luks_change_passphrase + [[ -n "$luks_new_Disk_Recovery_Key_passphrase" ]] && whiptail --title 'Passphrase change successful!' --msgbox "Your LUKS volume passphrase was successfully changed!\n\nNote that before booting the next time you should update your checksums.\nIf you are using a TPM Disk Unlock Key you also need to reseal that key." 0 80 luks_secrets_cleanup ;; R )